Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
28-05-2024 14:51
Static task
static1
Behavioral task
behavioral1
Sample
01c647838c374e91e8f9fe967fd25235d72264414bb0d5b82c4fbd4151a9717f.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
01c647838c374e91e8f9fe967fd25235d72264414bb0d5b82c4fbd4151a9717f.exe
Resource
win10v2004-20240508-en
General
-
Target
01c647838c374e91e8f9fe967fd25235d72264414bb0d5b82c4fbd4151a9717f.exe
-
Size
79KB
-
MD5
f9afb31bc17811e5ab4fa406f105b1fe
-
SHA1
d1a9449dcc8a3aa0c887bce71f128866175f679a
-
SHA256
01c647838c374e91e8f9fe967fd25235d72264414bb0d5b82c4fbd4151a9717f
-
SHA512
6feca3dfa221b704208754e67bcdce02a2253961da098b3e376d11217cd00b9f77e42f37f242e1a1f4b759b5fd172c29c9f153fce32eace48e07e802aff40b55
-
SSDEEP
1536:SX6UhZM4hubesrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2zs4:uhZ5YesrQLOJgY8Zp8LHD4XWaNH71dLI
Malware Config
Extracted
C:\Users\Admin\3D Objects\How To Restore Your Files.txt
darkside
Signatures
-
Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
-
DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (183) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 01c647838c374e91e8f9fe967fd25235d72264414bb0d5b82c4fbd4151a9717f.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: 01c647838c374e91e8f9fe967fd25235d72264414bb0d5b82c4fbd4151a9717f.exe File opened (read-only) \??\T: 01c647838c374e91e8f9fe967fd25235d72264414bb0d5b82c4fbd4151a9717f.exe File opened (read-only) \??\U: 01c647838c374e91e8f9fe967fd25235d72264414bb0d5b82c4fbd4151a9717f.exe File opened (read-only) \??\I: 01c647838c374e91e8f9fe967fd25235d72264414bb0d5b82c4fbd4151a9717f.exe File opened (read-only) \??\O: 01c647838c374e91e8f9fe967fd25235d72264414bb0d5b82c4fbd4151a9717f.exe File opened (read-only) \??\L: 01c647838c374e91e8f9fe967fd25235d72264414bb0d5b82c4fbd4151a9717f.exe File opened (read-only) \??\M: 01c647838c374e91e8f9fe967fd25235d72264414bb0d5b82c4fbd4151a9717f.exe File opened (read-only) \??\W: 01c647838c374e91e8f9fe967fd25235d72264414bb0d5b82c4fbd4151a9717f.exe File opened (read-only) \??\E: 01c647838c374e91e8f9fe967fd25235d72264414bb0d5b82c4fbd4151a9717f.exe File opened (read-only) \??\R: 01c647838c374e91e8f9fe967fd25235d72264414bb0d5b82c4fbd4151a9717f.exe File opened (read-only) \??\S: 01c647838c374e91e8f9fe967fd25235d72264414bb0d5b82c4fbd4151a9717f.exe File opened (read-only) \??\H: 01c647838c374e91e8f9fe967fd25235d72264414bb0d5b82c4fbd4151a9717f.exe File opened (read-only) \??\J: 01c647838c374e91e8f9fe967fd25235d72264414bb0d5b82c4fbd4151a9717f.exe File opened (read-only) \??\N: 01c647838c374e91e8f9fe967fd25235d72264414bb0d5b82c4fbd4151a9717f.exe File opened (read-only) \??\Q: 01c647838c374e91e8f9fe967fd25235d72264414bb0d5b82c4fbd4151a9717f.exe File opened (read-only) \??\Y: 01c647838c374e91e8f9fe967fd25235d72264414bb0d5b82c4fbd4151a9717f.exe File opened (read-only) \??\P: 01c647838c374e91e8f9fe967fd25235d72264414bb0d5b82c4fbd4151a9717f.exe File opened (read-only) \??\A: 01c647838c374e91e8f9fe967fd25235d72264414bb0d5b82c4fbd4151a9717f.exe File opened (read-only) \??\K: 01c647838c374e91e8f9fe967fd25235d72264414bb0d5b82c4fbd4151a9717f.exe File opened (read-only) \??\Z: 01c647838c374e91e8f9fe967fd25235d72264414bb0d5b82c4fbd4151a9717f.exe File opened (read-only) \??\X: 01c647838c374e91e8f9fe967fd25235d72264414bb0d5b82c4fbd4151a9717f.exe File opened (read-only) \??\V: 01c647838c374e91e8f9fe967fd25235d72264414bb0d5b82c4fbd4151a9717f.exe File opened (read-only) \??\B: 01c647838c374e91e8f9fe967fd25235d72264414bb0d5b82c4fbd4151a9717f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2928 vssadmin.exe 780 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2896 01c647838c374e91e8f9fe967fd25235d72264414bb0d5b82c4fbd4151a9717f.exe 2896 01c647838c374e91e8f9fe967fd25235d72264414bb0d5b82c4fbd4151a9717f.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 1332 vssvc.exe Token: SeRestorePrivilege 1332 vssvc.exe Token: SeAuditPrivilege 1332 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2896 wrote to memory of 1644 2896 01c647838c374e91e8f9fe967fd25235d72264414bb0d5b82c4fbd4151a9717f.exe 83 PID 2896 wrote to memory of 1644 2896 01c647838c374e91e8f9fe967fd25235d72264414bb0d5b82c4fbd4151a9717f.exe 83 PID 1644 wrote to memory of 2928 1644 cmd.exe 87 PID 1644 wrote to memory of 2928 1644 cmd.exe 87 PID 2896 wrote to memory of 3328 2896 01c647838c374e91e8f9fe967fd25235d72264414bb0d5b82c4fbd4151a9717f.exe 88 PID 2896 wrote to memory of 3328 2896 01c647838c374e91e8f9fe967fd25235d72264414bb0d5b82c4fbd4151a9717f.exe 88 PID 3328 wrote to memory of 780 3328 cmd.exe 91 PID 3328 wrote to memory of 780 3328 cmd.exe 91 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\01c647838c374e91e8f9fe967fd25235d72264414bb0d5b82c4fbd4151a9717f.exe"C:\Users\Admin\AppData\Local\Temp\01c647838c374e91e8f9fe967fd25235d72264414bb0d5b82c4fbd4151a9717f.exe"1⤵
- Checks computer location settings
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2928
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:780
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1332
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD59b57be4df98eb3b740a28da699734499
SHA1abee599dc58c21a7cacf4bc6a727fee782df8b23
SHA256d7c3edc0231627dccb4c8fc5477ef3bb556f73b5f44d26d7b979c86e856731d6
SHA51296299b107c3623bda24845a732147b988b153664355a6748c5085e443b626377c8b5cc4c5a83347cc00093dffa7233d6a9665f2b812a2f6e7244b9a9c8f3a389